pam-krb5 3.6 released
Nicolas Williams
Nicolas.Williams at sun.com
Wed Sep 19 17:57:15 EDT 2007
On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller wrote:
> Did you have a chance to look at the keytab verification problem I
> mentioned some time ago ? Right now you need to have a host/fqdn entry to
> verify the tickets, but this means the application needs to run as root
> (Assuming verify_ap_req_nofail is set to true which I think should be the
> default for pam anyway)
Solaris PAM requires that PAM functions be called with all [zone]
privileges asserted. It's a very good simplifying assumption that PAM
modules will need privilege, and PAM being pluggable, the framework and
the application cannot know a priori which privileges a module might
need. I would apply the same constraint to Linux-PAM.
Applications like screen savers must either be part of the trusted base,
and setuid or what-have-you, or they must be able to use a helper
process to handle authentication.
Nico
--
More information about the Kerberos
mailing list